There are some well known SIP extension enumeration vulnerabilities in different VoIP servers, specially in Asterisk. This brute-force vector is based on the study of the authentication responses of the target server. Sometimes its replies are different in the case that the client uses a valid extension, so it's easy to discover them. This vector is normally classified as a low security risk. Moreover we're moving towards a federated SIP environment , in which the extension is the public email address of the user. But it's still important in some cases: To guide next steps during a penetration test. In example, you can use the discovered extension to reduce the number of attempts in the phase of SIP extensión brute-force. Some RCE (Remote Code Execution) exploits need a valid extension to work. After a little research, these are the known vulns: CVE-2009-3727 : It's quite old and it's practically not present in real environments. It's still not imple...
The last day I said that now we're going to automate all VoIP tasks trying to build a VoIP/UC vulnerability scanner. But I realized that there are some other tasks which I need in each penetration test that we could add too. This way we could avoid to use another tools for an important part of the work. Normally, we're hired to deploy a VoIP specific penetration test, but we also like to check (in a minimal way) the rest of implied services. So I've added next modules brute-force modules: Asterisk AMI : It was a must because this is a very common scenario. MySQL : The most common DB engine among VoIP servers. MongoDB : It's not used in VoIP, but I've been playing lately with this system and I really like it. So I decided also to add a module. SSH / (S)FTP : More common protocols. HTTP(S) : Useful when we find a web management panel for a VoIP server. TFTP : Widely used in VoIP to auto-provisioning the softphones of an organization. LDAP : Sometimes the V...